Tuesday, April 22, 2008

Reporting - time for standardization?

[This is a repost of my forum post here. Comments welcome but perhaps most usefully posted as replies in the forum. Also, a tip of the hat to forum members BitHead and kovar for providing the impetus.]

I'd like to pick up on one or two comments from an earlier thread and bring the subject of report standardization into the spotlight.

This is a subject area which has cropped up before (in these forums and elsewhere) and also one which has given me pause for thought in practice - in common with most of us here, I imagine. I think the time is right to give some serious consideration as to whether the standard of reporting delivered by computer forensics practitioners is all that it could be and, more specifically, is the introduction of a suitably structured and widely accepted model a worthwhile goal to aim for.

A number of benefits have already been suggested for such a model, some of these being increased efficiency, increased accuracy, improvements in communicating with other parties and an increase in professional credibility. In addition, two paths have been suggested for achieving this goal - one, get the major computer forensic groups and organisations to agree on such a model and push it out to their members, the other, develop a model at a grass roots level and grow support and acceptance for it amongst members of the various computer forensics forums.

I'd like to request further comments from all of us here. Do you think there's anything wrong in principle with a standardized reporting model? If not, could such a model be developed which serves to provide the benefits mentioned above without undue restriction being placed on the report writer? What would be the best way of creating such a model? Would the time and effort spent developing a suitable model be worthwhile?